From 868bc3753bb0626af87c886a0371a161e6f80380 Mon Sep 17 00:00:00 2001
From: Ondrej Mirtes <ondrej@mirtes.cz>
Date: Tue, 24 Feb 2026 14:01:21 +0100
Subject: [PATCH 1/8] Actionlint

---
 .github/actionlint-matcher.json  | 17 +++++++++++++++++
 .github/actionlint.yaml          | 19 +++++++++++++++++++
 .github/workflows/actionlint.yml | 21 +++++++++++++++++++++
 3 files changed, 57 insertions(+)
 create mode 100644 .github/actionlint-matcher.json
 create mode 100644 .github/actionlint.yaml
 create mode 100644 .github/workflows/actionlint.yml

diff --git a/.github/actionlint-matcher.json b/.github/actionlint-matcher.json
new file mode 100644
index 0000000..4613e16
--- /dev/null
+++ b/.github/actionlint-matcher.json
@@ -0,0 +1,17 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "actionlint",
+      "pattern": [
+        {
+          "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4,
+          "code": 5
+        }
+      ]
+    }
+  ]
+}
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
new file mode 100644
index 0000000..2cf4ae9
--- /dev/null
+++ b/.github/actionlint.yaml
@@ -0,0 +1,19 @@
+self-hosted-runner:
+  # Labels of self-hosted runner in array of strings.
+  labels: []
+
+# Configuration variables in array of strings defined in your repository or
+# organization. `null` means disabling configuration variables check.
+# Empty array means no configuration variable is allowed.
+config-variables: null
+
+# Configuration for file paths. The keys are glob patterns to match to file
+# paths relative to the repository root. The values are the configurations for
+# the file paths. Note that the path separator is always '/'.
+# The following configurations are available.
+#
+# "ignore" is an array of regular expression patterns. Matched error messages
+# are ignored. This is similar to the "-ignore" command line option.
+paths:
+#  .github/workflows/**/*.yml:
+#    ignore: []
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
new file mode 100644
index 0000000..1838ba3
--- /dev/null
+++ b/.github/workflows/actionlint.yml
@@ -0,0 +1,21 @@
+name: Lint GitHub Actions workflows
+on:
+  pull_request:
+  push:
+    branches:
+      - "main"
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Download actionlint
+        id: get_actionlint
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        shell: bash
+      - name: Check workflow files
+        run: |
+          echo "::add-matcher::.github/actionlint-matcher.json"
+          ${{ steps.get_actionlint.outputs.executable }} -color
+        shell: bash

From 749efd098651360fbd27a262574a28b2f13c88f7 Mon Sep 17 00:00:00 2001
From: Ondrej Mirtes <ondrej@mirtes.cz>
Date: Tue, 24 Feb 2026 14:05:39 +0100
Subject: [PATCH 2/8] Fix actionlint

---
 .github/workflows/claude-org-wide.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/claude-org-wide.yml b/.github/workflows/claude-org-wide.yml
index 549a426..4d5df10 100644
--- a/.github/workflows/claude-org-wide.yml
+++ b/.github/workflows/claude-org-wide.yml
@@ -86,9 +86,11 @@ jobs:
           COMMENT_BODY: ${{ github.event.comment.body }}
         run: |
           REQUEST=$(echo "$COMMENT_BODY" | sed 's|@phpstan-bot||g' | sed 's/^[[:space:]]*//')
-          echo "request<<EOF" >> "$GITHUB_OUTPUT"
-          echo "$REQUEST" >> "$GITHUB_OUTPUT"
-          echo "EOF" >> "$GITHUB_OUTPUT"
+          {
+            echo "request<<EOF"
+            echo "$REQUEST"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
 
       - name: "Run Claude Code on repository"
         uses: anthropics/claude-code-action@v1

From 93c2e8f9f603c75f5174c3c5816f09c42b1b155a Mon Sep 17 00:00:00 2001
From: Ondrej Mirtes <ondrej@mirtes.cz>
Date: Tue, 24 Feb 2026 14:06:12 +0100
Subject: [PATCH 3/8] Fix workflow

---
 .github/workflows/claude-org-wide.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/claude-org-wide.yml b/.github/workflows/claude-org-wide.yml
index 4d5df10..3925880 100644
--- a/.github/workflows/claude-org-wide.yml
+++ b/.github/workflows/claude-org-wide.yml
@@ -49,7 +49,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     permissions:
-      contents: read
+      contents: write
+      pull-requests: write
     strategy:
       fail-fast: false
       max-parallel: 10

From 608a62c6877c620e724b5a1f6f5ce9af16223182 Mon Sep 17 00:00:00 2001
From: Ondrej Mirtes <ondrej@mirtes.cz>
Date: Tue, 24 Feb 2026 14:09:13 +0100
Subject: [PATCH 4/8] Octoscan

---
 .github/workflows/actionlint.yml     | 21 -------------
 .github/workflows/lint-workflows.yml | 44 ++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 21 deletions(-)
 delete mode 100644 .github/workflows/actionlint.yml
 create mode 100644 .github/workflows/lint-workflows.yml

diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
deleted file mode 100644
index 1838ba3..0000000
--- a/.github/workflows/actionlint.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-name: Lint GitHub Actions workflows
-on:
-  pull_request:
-  push:
-    branches:
-      - "main"
-
-jobs:
-  actionlint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-      - name: Download actionlint
-        id: get_actionlint
-        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
-        shell: bash
-      - name: Check workflow files
-        run: |
-          echo "::add-matcher::.github/actionlint-matcher.json"
-          ${{ steps.get_actionlint.outputs.executable }} -color
-        shell: bash
diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml
new file mode 100644
index 0000000..e8cb81c
--- /dev/null
+++ b/.github/workflows/lint-workflows.yml
@@ -0,0 +1,44 @@
+name: Lint GitHub Actions workflows
+on:
+  pull_request:
+  push:
+    branches:
+      - "main"
+
+permissions: {}
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Download actionlint
+        id: get_actionlint
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        shell: bash
+      - name: Check workflow files
+        run: |
+          echo "::add-matcher::.github/actionlint-matcher.json"
+          ${{ steps.get_actionlint.outputs.executable }} -color
+        shell: bash
+
+  octoscan:
+    name: Octoscan
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for codeql-action/upload-sarif to upload SARIF files.
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v6
+      - name: Run octoscan
+        id: octoscan
+        uses: synacktiv/action-octoscan@v1
+        with:
+          filter_triggers: ''
+
+      - name: Upload SARIF file to GitHub
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: "${{steps.octoscan.outputs.sarif_output}}"
+          category: octoscan
+          wait-for-processing: false

From d29c44bec33f4b9655d207beb6ef7b616adb8891 Mon Sep 17 00:00:00 2001
From: Ondrej Mirtes <ondrej@mirtes.cz>
Date: Tue, 24 Feb 2026 14:13:23 +0100
Subject: [PATCH 5/8] Fix Actionlint

---
 .github/workflows/lint-workflows.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml
index e8cb81c..c9e4e5b 100644
--- a/.github/workflows/lint-workflows.yml
+++ b/.github/workflows/lint-workflows.yml
@@ -12,14 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - name: Download actionlint
-        id: get_actionlint
-        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
-        shell: bash
       - name: Check workflow files
         run: |
           echo "::add-matcher::.github/actionlint-matcher.json"
-          ${{ steps.get_actionlint.outputs.executable }} -color
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+          ./actionlint -color
         shell: bash
 
   octoscan:

From b3638373018c1b3ee9ac974993f1678b96142da3 Mon Sep 17 00:00:00 2001
From: Ondrej Mirtes <ondrej@mirtes.cz>
Date: Tue, 24 Feb 2026 14:18:40 +0100
Subject: [PATCH 6/8] Test

---
 .github/workflows/claude-org-wide.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/claude-org-wide.yml b/.github/workflows/claude-org-wide.yml
index 3925880..52edae7 100644
--- a/.github/workflows/claude-org-wide.yml
+++ b/.github/workflows/claude-org-wide.yml
@@ -87,11 +87,9 @@ jobs:
           COMMENT_BODY: ${{ github.event.comment.body }}
         run: |
           REQUEST=$(echo "$COMMENT_BODY" | sed 's|@phpstan-bot||g' | sed 's/^[[:space:]]*//')
-          {
-            echo "request<<EOF"
-            echo "$REQUEST"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
+          echo "request<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$REQUEST" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
 
       - name: "Run Claude Code on repository"
         uses: anthropics/claude-code-action@v1

From 711f5cdf747b98acf3b0c474f09ad1ea17d37e2a Mon Sep 17 00:00:00 2001
From: Ondrej Mirtes <ondrej@mirtes.cz>
Date: Tue, 24 Feb 2026 14:20:34 +0100
Subject: [PATCH 7/8] Random delimiter to pass to GITHUB_OUTPUT

---
 .github/workflows/claude-org-wide.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claude-org-wide.yml b/.github/workflows/claude-org-wide.yml
index 52edae7..847b13d 100644
--- a/.github/workflows/claude-org-wide.yml
+++ b/.github/workflows/claude-org-wide.yml
@@ -87,9 +87,10 @@ jobs:
           COMMENT_BODY: ${{ github.event.comment.body }}
         run: |
           REQUEST=$(echo "$COMMENT_BODY" | sed 's|@phpstan-bot||g' | sed 's/^[[:space:]]*//')
-          echo "request<<EOF" >> "$GITHUB_OUTPUT"
+          delimiter="$(openssl rand -hex 16)"
+          echo "request<<${delimiter}" >> "$GITHUB_OUTPUT"
           echo "$REQUEST" >> "$GITHUB_OUTPUT"
-          echo "EOF" >> "$GITHUB_OUTPUT"
+          echo "${delimiter}" >> "$GITHUB_OUTPUT"
 
       - name: "Run Claude Code on repository"
         uses: anthropics/claude-code-action@v1

From 900dedfbf2c36421c678eb6b76db432623f736de Mon Sep 17 00:00:00 2001
From: Ondrej Mirtes <ondrej@mirtes.cz>
Date: Tue, 24 Feb 2026 14:22:24 +0100
Subject: [PATCH 8/8] Actionlint ignore SC2129

---
 .github/actionlint.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
index 2cf4ae9..b24efa8 100644
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@@ -15,5 +15,8 @@ config-variables: null
 # "ignore" is an array of regular expression patterns. Matched error messages
 # are ignored. This is similar to the "-ignore" command line option.
 paths:
-#  .github/workflows/**/*.yml:
-#    ignore: []
+  .github/workflows/**/*.{yml,yaml}:
+    # List of regular expressions to filter errors by the error messages.
+    ignore:
+      # Ignore the specific error from shellcheck
+      - 'shellcheck reported issue in this script: SC2129:.+'